We’ve done a lot of research on many topics related to payments processing, and PSD2 is one of the most dry and dreary we have come across. First of all, it’s legislation, so that puts it into the snooze column right away. But it also presents complex challenges for merchants that need to comply with it, which makes it the perfect topic for a ChargebackHelp makeover!
We’re going to assuage the tedium of this regulatory framework so that you’ll achieve better PSD2 compliance as a merchant. ChargebackHelp is following PSD2 closely because, while it may reduce fraud and enhance innovation, it is also going to add some transaction friction into European eCommerce and likely increase online fraud attacks outside of Europe. We’re looking at ways for merchants to keep ahead of the curve in a post-PSD2 market (read: loopholes). We invite you to join us here as we look at what is PSD2, what’s at stake for merchants, and who owns the future of eCommerce.
What is the PSD2?
Sorry nerds, PSD2 is not a video game sequel or a Star Wars character. The Payment Services Directive (PSD) is an evolving regime of laws by the European Union that govern payments services within the European Economic Area (EEA). “Evolving” because since it was first enacted in 2007, the PSD needed some updates, culminating in the PSD2. This second directive addressed payment security concerns and the emerging market of third-party payments services providers aka “fintechs”.
First, PSD2 loosens the banks’ monopoly on financial services. Banks must enable their APIs to allow third-party access to their customers’ accounts, at that customer’s request. This enshrines two new sectors in the financial services industry: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). AISPs are like applications that help consumers monitor and budget their spending. PISPs are like peer-to-peer (P2P) payment services like online bill payments. Services like these no longer have to partner with banks or states and can market directly to consumers.
Second, because of this new open frontier of third-party services, PSD2 mandates what is called “Strong Consumer Authentication” (SCA) in transactions. Now pay attention because you’re about to learn something cool here… In all the history of confirming one’s identity — whether it’s a secret handshake, legal evidence, or nuclear launch codes — authentication is proven by at least one of three factors:
- What you know (knowledge) — passwords, billing addresses, PIN#
- What you have (ownership) – keys, Credit cards and CVV#
- Who you are (inherence) – signature, fingerprints
PSD2 requires that any transaction within the EEA must have at least two-factor authentication built into the API managing it. Going forward, most Europeans will have to provide a password (what they know) plus something else they either have or are. It can be a code texted to their phone (ownership), a biometric imprint (inherence), or something along those lines.
What’s at stake for merchants?
The concept of Strong Consumer Authentication sounds great if you’re a consumer. But as a merchant, whenever the rules change on authenticating transactions, the inevitable learning curve can create checkout friction. Critics are weary of the PSD2 driving up false positives and cart abandonment. And with the SCA requirements set to go live 14 September, 2019, merchants are getting nervous.
Big companies with teams of lawyers pouring over the details of PSD2 have the resources to prepare. Netflix has already finagled an exemption to their subscription model where SCA is required for the first transaction only. Amazon and Apple have forged “trusted merchant” exemptions because of their low fraud ratios. The giants of industry once again pave a path through new regulations that suits them well; but what about smaller businesses, and high-risk merchants in particular?
One leg out = one leg up
If you had to deal with the EU’s General Data Protection Regulation (GDPR), you’re familiar with the concept of “legs in”. Whether you have two legs in (European doing business in Europe) or one leg in (Non-European doing business in Europe), you have to comply with the GDPR. PSD2, on the other hand, mostly applies to two-leg transactions only. This provides merchants doing business in Europe with a bit of daylight around the SCA requirement.
Non-European merchants can continue using their current authentication models. However, even if you’re a two-legged merchant, there is a away around the SCA requirement as well: using a non-European merchant account. If your acquiring bank is based outside the EEA, then your current authentication procedure is sufficient. Ultimately, you will have to reckon with the SCA, but this approach will buy you some time to find and test out the most friction-less way to authenticate compliantly.
There’s also something to consider for all merchants, no matter how many legs we’re talking about: SCA is happening and fraud will adapt to it. As we learned with EMV, when you secure one area against fraud, it flushes the fraudsters out to less-secured areas. If SCA does its job to make EU transactions more secure, fraudsters will set up shop elsewhere, and merchants have to be ready for that migration.
Who owns the future of ecommerce?
PSD2 is part of a long-standing push by the EU to “federalize” its financial services; it allows consumers and financial services to better transact business from one member country to another. And more recently, like GDPR and EMV, PSD2 is another regulatory landmark that sets Europe ahead of the pack in the future of online payments and processing. It’s a one-two punch that other markets such as the US and China will have to reckon with one way or another.
If the EEA succeeds with PSD2 in developing a more diverse and secure payments infrastructure, all other markets will be playing catch up. Particularly for merchants and financial services that do business in the EEA, compliance with the Payments Services Directive will put them ahead of the curve as the US and other markets work up to the EU’s example. SCA-compliant merchants will also be shielded from the next wave of fraud that will relocate to more-vulnerable financial sectors still doing things the old way. So while there may be some sufficient loopholes to avail yourself with, they should be temporary as markets and merchants adjust to the changes.
TLDR (Too Long, Didn’t Read)
We’ve covered a lot of ground here, so let’s review. PSD2 is the regulatory framework that requires better authentication for transactions. Though “Strong Consumer Authentication” will enhance security for cardholders, merchants should be weary of “checkout friction” that may occur as a result. There are some loopholes to fall back on, mostly from using around non-EEA merchant accounts. Nevertheless, merchants should use these loopholes to transition towards SCA compliance, as fraudsters will be on the hunt for vulnerabilities outside the PSD2 scope.
This article is meant as an overview. If you have any unanswered questions about the implications of the PSD2, be sure to consult your processing professionals. ChargebackHelp is well qualified to assist you in this capacity. Drop us a chat down on the right, shoot us an email, or go old-school and call us 1.800.975.9905